Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Bagle.DR

Win32/Bagle.DR is an email worm. Three different components of this worm have been identified so far.

A downloader that is about 3 kB in size is probably meant to be spammed first. When executed, it downloads a file from a single URL, saves it in %system% folder using a random filename. This file is then executed. The downloaded file is a mass-mailer.

Note: %windir% denotes Windows directory (e.g. C:\WINDOWS) and %system% denotes the Windows System directory (e.g. C:\WINDOWS\SYSTEM32) as they differ on various versions of Microsoft Windows.

The size of the mass-mailing component is about 20 kB. When it is executed, it copies itself into the %system% folder as "wind2ll2.exe".

A registry entry called "erfgddfk", containing the path to the wind2ll2.exe is added in the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n

The worm removes several registry entries related to other Win32 worms.

Inside the executable, there is a ZIP archive containing the next component of Win32/Bagle.DR. It is another small downloader that is spread further via e-mail.

Subjects of the messages sent are randomly picked from the following list:

Ales
Alice
Alyce
Andrew
Androw
Androwe
Ann
Anna
Anne
Annes
Anthonie
Anthony
Anthonye
Avice
Avis
Bennet
Bennett
Constance
Cybil
Daniel
Danyell
Dorithie
Dorothee
Dorothy
Edmond
Edmonde
Edmund
Edward
Edwarde
Elizabeth
Elizabethe
Ellen
Ellyn
Emanual
Emanuel
Emanuell
Ester
Frances
Francis
Fraunces
Gabriell
Geoffraie
George
Grace
Harry
Harrye
Henrie
Henry
Henrye
Hughe
Humphrey
Humphrie
Christean
Christian
Isabel
Isabell
James
Jane
Jeames
Jeffrey
Jeffrye
Joane
Johen
John
Josias
Judeth
Judith
Judithe
Katherine
Katheryne
Leonard
Leonarde
Margaret
Margarett
Margerie
Margerye
Margret
Margrett
Marie
Martha
Mary
Marye
Michael
Mychaell
Nathaniel
Nathaniell
Nathanyell
Nicholas
Nicholaus
Nycholas
Peter
Ralph
Rebecka
Richard
Richarde
Robert
Roberte
Roger
Rose
Rycharde
Samuell
Sara
Sidney
Sindony
Stephen
Susan
Susanna
Suzanna
Sybell
Sybyll
Syndony
Thomas
Valentyne
William
Winifred
Wynefrede
Wynefreed
Wynnefreede

The same list is used to choose a random filename for the ZIP archive in the attachment.

Body of the message contains one of the following lines:

All-foto
AN-FOTO
D-Foto
FOTO-1
FOTO-2
FOTO-3
FOTO-4
foto-bank
foto-books
FOTO-DIGITAL
foto-flower
foto-forum
Foto-War
FOTO HOME
foto land
Foto Portal
foto telephone
Foto&Video
Foto.Md
Internet-foto
m-foto
MAIL.FOTO
my foto
OK-FOTO
S-Foto
VIP-foto
web-foto

The archive contains an executable with a fixed filename "123.exe". The file is about 9 kB in size. When it's executed by the user, it copies itself in %system% directory as "anti_troj.exe".

In order to be run on every system start, the program adds a registry entry called "anti_troj" containing path to the anti_troj.exe in the following keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

An image %system%\ntimage.gif is displayed. This only happens once, as the first time the program is run it creates a registry entry HKEY_CURRENT_USER\Software\FirstRRRun\FirstRRRun

The downloader contains a list of 51 URLs that it repeatedly tries to download a file from. If it succeeds, the file is saved using a random filename in %system%\exefld. This file is then executed. It is not known what file is meant to be downloaded. It might be one of those mentioned earlier.

NOD32 was able to detect all three pieces of Win32/Bagle.DR proactively. Signatures are available since version 1.1301.

History: Analysis and Write-up by: Juraj Sarinay